MI user email address issue
Office 365 requires that we sync our on-prem AD (aka MI, aka NETID domain) to an Entra ID directory. This includes users, groups, and contacts. How this sync works is partly up to us, but there are some factors out of our control. One issue we know about is that not all MI user email address values can be sync’d intact. In specific, only those domains which are “accepted domains” can be asserted as a mail value. The MI user email address value can currently optionally be set to any value for employees, students, and Exchange mailbox users. By default, all other MI user email address values are in the form <uwnetid>@u.washington.edu. So this issue is constrained to employees, students, and UW Exchange mailbox users.
Known Info:
- O365 syncs AD user mail attribute value to O365 user mail attribute.
- If domain suffix of mail attribute value isn’t an accepted domain in the O365 tenant, that domain suffix is replaced with a “dummy” domain suffix.
- Mail attribute is known to be used by:
- Exchange mailbox users (loose association)
- Exchange mail enabled users (no mailbox but in the GAL)
- Sharepoint as target for alerts
- Some other applications which integrate with MI
- O365 mailbox users (both for their mailbox and via GAL to all mail-enabled users)
- O365 sharepoint users
- MI user mail attribute values have >150 domain suffixes.
- We can’t add all these domain suffixes as accepted domains, because this would preclude their use (in MS cloud) elsewhere.
- Know that O365 accepted domains will include: uw.edu, washington.edu, u.washington.edu, ol.uw.edu
- Desire to support both mailbox on-prem and mailbox in O365 for any given user.
Unknown:
- Don’t know if on-prem GAL and O365 GAL can accurately reflect mail attribute for mailbox users.
- Don’t know whether dual mailbox will work with GAL & mail attribute details.
- Don’t know what other mail domains O365 will have as accepted domains (ms.uw.edu? partnersforourchildren.org? etc.)
- Don’t know if on-prem GAL and O365 GAL can accurately reflect mail attribute for mail-enabled users.
- If not, then may need to “force” change mail-enabled user mail address to enable O365 sharepoint use case. Or disable O365 sharepoint for users which non-conforming values. Or carry as unresolved service problem.
- Don’t know if on-prem GAL and O365 GAL can accurately reflect mail attribute for mail-enabled users.
- Unclear how mail address for Exchange distribution groups will work. Does/Can/Should exchange.washington.edu be an O365 accepted domain? Or does coexistence “know” how this works? Or do we need to add an additional email address to all distribution groups? Or?
Outcome
The issues described here were resolved by a couple changes:
- Implementing DirSync (which has since been replaced by Entra ID Connect)
- Replacing all existing MI email values with <uwnetid>@uw.edu
- Changing the Kiwi agent to populate the mail attribute with <uwnetid>@uw.edu
- Otherwise turning over MI user mail attribute management to the MSCA service offering